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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 05/04/2009 has been entered. 

2. Claims 1-2 and 4-13 are pending, and claim 3 is canceled. 

3. Claims 1, 2 and 4-6 are amended. 

Information Disclosure Statement 

4. The information disclosure statement (IDS) submitted on 10/08/2004 has been 
considered. The submission is in compliance with the provisions of 37 CFR 1 .97. Form PTO- 
1449 is signed and attached hereto. 

Priority 

5. Acknowledgment is made of applicant's claim for foreign priority under 35 

U.S.C. 1 19(a)-(d). The certified copy has been filed in parent Application No. 105 10606, filed 
on 10/08/2004. 

Oath/Declaration 

6. The oath filed on 05/1 9/2005 complies with all the requirements set forth in MPEP 602 
and therefore is accepted. 

Drawings 
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7. The drawings filed on 10/08/2004 are accepted. 



Response to Amendment 

Applicant's arguments for some are not persuasive and new ground of rejection is closed 
herein for some argument(s). 

Regarding argument, remark page 8 par. 2, Menezes does not explicitly teach 
transmitting data" argument is not persuasive because Menezes does teach transmitting data as 
applicant explains on the remark page 6 last par. "Wherein -B-> A represents B transmitting to 
A" that is transmitting data. Data as claimed is any data. If applicant's data is different data then 
it needs to be claimed. 



Regarding argument, remark page 7 last par., Menezes fails to teach B sends data (i.e. 

data +rB), argument is not persuasive because according to sec. 10.16-10.17: A^-B :rB means 

random number (data) and identifier to the random number data. 

(see section 10.16-10.17 wherein . . . rA and tA respectively denote a random number and a timestamp 
generated by A. . . Ek denotes a symmetric encryption algorithm . . . It is assumed both parties are aware 
of the claimed identity of the other, either by context or by additional (unsecured) clear text data 
fields. Optional message fields are denoted by an asterisk (*), ... 

1 . unilateral authentication, timestamp-based: 

A^B : Ek(tA,B*) 

Upon reception and decryption, B verifies that the timestamp is acceptable and optionally 
verifies the received identifier as its own. The identifier B here prevents 

2. unilateral authentication, using ransom numbers: 
To avoid reliance on timestamp 

A<- B : rB 
A^B : Ek(rB, B*) 

B decrypts the received message and checks that the random number matches that is sent. 
Optionally, B checks that the identifier (received) is its own . . . . 

3. mutual authentication using ransom numbers: 

A <- B : rB 

A -> B : Ek(rA, rB, B*) 
A <- B : Ek(rB,rA) ... 

10.17 Remark (doubling unilateral authentication) 
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(ii) Challenge-response based on (keyed) one-way functions 

3. to enable independent MAC computation by the recipient, the additioanl cleartext field 
tA must be sent in message of the one -pass mechanism. 

The revised three-pass challenge-response mechanism based on a MAC hk, with actions 
as noted above provide mutual identification. . . . 
A <- B : rB 

A -» B : rA; hk(rA,rB,B) 
A^B:hk(rB,rA,A)...) 

Claim Rejections - 35 USC § 101 

8. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claims 1-2 and 4-13 are rejected under 35 U.S.C. 101 based on Supreme Court precedent 
and recent Federal Circuit decisions, a 35 U.S.C § 101 process must (1) be tied to a particular 
machine or (2) transform underlying subject matter (such as an article or materials) to a different 
state or thing. In re Bilski et al, 88 USPQ 2d 1385 CAFC (2008); Diamond v. Diehr, 450 U.S. 
175, 184 (1981); Parker v. Flook, 437 US. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 
63, 70 (1972); Cochrane v. Deener, 94 U.S. 780,787-88 (1876). 

An example of a method claim that would not qualify as a statutory process would be a 
claim that recited purely mental steps. Thus, to qualify as a § 101 statutory process, the claim 
should positively recite the particular machine to which it is tied, for example by identifying the 
apparatus that accomplishes the method steps, or positively recite the subject matter that is being 
transformed, for example by identifying the material that is being changed to a different state. 

Here, applicant's method steps are not tied to a particular machine and do not perform a 
transformation. Thus, the claims are non-statutory. 
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The mere recitation of the machine in the preamble with an absence of a machine in the 
body of the claim fails to make the claim statutory under 35 USC 101 . Note the Board of Patent 
Appeals Informative Opinion Ex parte Langemyer et al. 

Claim Rejections - 35 USC §103 

9. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

10. Claims 1-2, 5, 7-8, 10, and 12-13 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Menezes "Handbook of applied cryptography" in view of Haumont USPN 
6763112 Bl. Beaver et al. USPN 7234059 Bl. 

Regarding claim 1, Menezes discloses a method for verifying that data received by a receiver (pp 
401 sec. 10.16; data integrity/authentication ... and receiver (B)) have been sent by a transmitter 
(sender/claimant (A)) authorized by a trusted third party (pp 400 sec. 10.3.2 lines 1-7; trusted on- 
line server), the transmitter and the receiver being connected to a digital network (pp 400 sec. 
10.3.2 lines 1-7 and pp 401 sec. 10.16 lines 1-27), the method, for the receiver comprising: 

(a) receiving the data and an identifier for the data (10.16-10.17); 

(b) generating a random number (pp 401 sec. 10.16 lines 7-24; random number is 
generated... r A, rB); 
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(c) broadcasting said random number and said identifier over the network (pp 401 sec. 
10.16 line 24; equation (1) and/or rB is transmitted to A .... rB is based on B's identifier ... pp 
401 sec. 10.16 lines 1 1-pp 402 sec. 10.17 (ii); rA and rB are exchanged between A and B); 

(d) receiving from the transmitter a response computed by applying a first function to 
said random number and to said identifier (pp 401 sec. 10.16 line 25; equation (2) and/or 
Ek(rB,B*)); and 

(e) verifying the received response by applying a second function to the received 
response, to said random number and to said identifier (pp 401 sec. 10.16 lines 9-31; B decrypts 
Ek(rB,B*) using decryption algorithm Ek and checks/verifies the integrity and identity using 
random number sent). 

Menezes discloses the trusted on-line server providing common session key (see pp 400 
sec. 10.3.2 lines 3-7 to A and B) and algorithm Ek that denotes symmetric encryption algorithm 
with a key K is shared by A and B see pp 401 sec. 10.16 lines 9-11, and the algorithm Ek is used 
in A and B for security and/or verification (see pp 401 sec. 1016 lines 1-27). 

However Menezes fails to explicitly disclose the Ek being transmitted to A and B from 
the trusted on-line server. 

Haumont discloses a method of trusted third party (CN) transmitting UMTS Integrity 
Algorithm (UIA) and UMTS Encryption Algorithm (UEA) to mobile station (MS) or radio 
network controller (RNC) (col. 5 lines 65-col. 6 lines 2), via distributed network (see fig. 1 and 
col. 4 lines 46-65), for proper challenge response authentication integrity result (see col. 5 lines 
4-32 and fig. 2) and integrity is verified by transmitting challenge/random from CN to MS, in 
response to the received challenge the MS applying algorithm to produce a result, transmitting 
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the generated result to CN and acknowledging the RNC (see col. 6 lines 3-24 and fig. 4 and fig. 
2). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings of Haumont within the system of Menezes 
because they are analogous in challenge response integrity authentication. One would have been 
motivated to incorporate the teachings to properly perform integrity authentication using the 
trusted algorithm. 

Haumont discloses a temporary anonymous identity instead of IMSI identity of MS 
however the combination fails to explicitly disclose wherein transmitter authorized by a trusted 
third party to transmit the data, and wherein the receiver does not know the identity of the 
transmitter. 

Beaver et al. teaches an anonymous authentication (see col. 4 lines 13-col. 5 lines 30), 
receiving data and data identifier (see col. 5 lines 64-col. 6 lines 41 and col. 9 lines 46-col. 10 
lines 66) wherein the TTP authorizing transmitter to transmit data (col. 7 lines 22-50 and col. 9 
lines 46-col. 10 lines 66), verifying data received by a receiver is sent by authorized transmitter 
(and col. 9 lines 46-col. 10 lines 66 and claim 1) and wherein the receiver does not know the 
identity of the transmitter (see col. 8 lines 6-45). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings to anonymously verify the sender and data. 

Regarding claim 5, Menezes discloses a method for proving that data sent to a receiver (pp 401 
sec. 10.16; data integrity /authentication ... and receiver (B)) have been transmitted by a 
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transmitter {sender/claimant (A)) authorized by a trusted third party (pp 400 sec. 10.3.2 lines 1-7; 
trusted on-line server), the transmitter and the receiver being connected to a digital network (pp 
400 sec. 10.3.2 lines 1-7 and pp 401 sec. 10.16 lines 1-27), characterized in that wherein an 
identifier is associated with the data sent by the transmitter (pp 401 sec. 10.16 lines 7-page 402 
lines 8; B checking the identifier in equation (2) is its own... random number rB is based on B's 
identity... same for A i.e. rA is based on A 's identity) the method, for the transmitter comprising: 

(a) sending the data and the identifier for the data to the receiver (see section 10.16- 

10.17); 

(b) receiving a random number from the receiver (pp 401 sec. 10.16 line 24; equation (1) 
and/or rB is received at A); 

(c) computing a response by applying a first function to said random number and to said 
identifier (pp 40 1 sec. 10.16 lines 9-3 1 ; equation (2) and/or Ek(rB,B *) wherein Ek is the 
encryption algorithm and rB is based on B 's identity); and 

(d) sending said response to the receiver (pp 401 sec. 10.16 line 25; equation (2)); 

said response being verified by the receiver by applying a second function to the received 
response, to said random number and to said identifier (pp 401 sec. 10.16 lines 9-31; B decrypts 
Ek(rB,B*) using decryption algorithm Ek and checks/verifies the integrity and identity using 
random number rB sent that is based on B 's identity). 

Menezes discloses the trusted on-line server providing common session key (see pp 400 
sec. 10.3.2 lines 3-7 to A and B) and algorithm Ek that denotes symmetric encryption algorithm 
with a key K is shared by A and B see pp 401 sec. 10.16 lines 9-11, and the algorithm Ek is used 
in A and B for verification (see pp 401 sec. 1016 lines 1-27). 
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However Menezes fails to explicitly disclose the Ek being transmitted to A and B from 
the trusted on-line server. 

Haumont discloses a method of trusted third party (CN) transmitting UMTS Integrity 
Algorithm (UIA) and UMTS Encryption Algorithm (UEA) to mobile station (MS) or radio 
network controller (RNC) (col. 5 lines 65-col. 6 lines 2), via distributed network (see fig. 1 and 
col. 4 lines 46-65), for proper challenge response authentication integrity result (see col. 5 lines 
4-32 and fig. 2) and integrity is verified by transmitting challenge/random from CN to MS, in 
response to the received challenge the MS applying algorithm to produce a result, transmitting 
the generated result to CN and acknowledging the RNC (see col. 6 lines 3-24 and fig. 4 and fig. 
2). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings of Haumont within the system of Menezes 
because they are analogous in challenge response integrity authentication. One would have been 
motivated to incorporate the teachings to properly perform integrity authentication using the 
trusted algorithm. 

Haumont discloses a temporary anonymous identity instead of IMSI identity of MS 
however the combination fails to explicitly disclose wherein transmitter authorized by a trusted 
third party to transmit the data, and wherein the receiver does not know the identity of the 
transmitter. 

Beaver et al. teaches an anonymous authentication (see col. 4 lines 13-col. 5 lines 30), 
receiving data and data identifier (see col. 5 lines 64-col. 6 lines 41 and col. 9 lines 46-col. 10 
lines 66) wherein the TTP authorizing transmitter to transmit data (col. 7 lines 22-50 and col. 9 
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lines 46-col. 10 lines 66), verifying data received by a receiver is sent by authorized transmitter 
(and col. 9 lines 46-col. 10 lines 66 and claim 1) and wherein the receiver does not know the 
identity of the transmitter (see col. 8 lines 6-45). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings to anonymously verify the sender and data. 

Regarding claim 2, Menezes discloses the method in which the step (b) is replaced by a step 
comprising in sending said random number to the transmitter (pp 401 sec. 10.16 line 24-pp 402 
line 8; rB). 

Regarding claim 7, Menezes discloses the method wherein the identifier associated with the data 
sent by the transmitter is a random number generated by the initial transmitter of the data in the 
network and attached to said data by the initial transmitter (pp 401 sec. 10.16 lines 7-page 402 
lines 8; B checking the identifier in equation (2) is its own using random number rB... random 
number rB is based on B's identity... same for A i.e. rA is based on A 's identity). 

Regarding claim 8, Menezes discloses the method wherein the first function is a public function 
using a secret key (pp 402 sec. 10.17 lines 9-34; hk is a one-way hash function that is known to 
both the sender and receiver and uses a shared key/secret key). 

Regarding claim 10, Menezes discloses the method wherein the first function is a secret function 
(pp 402 lines 1-8; algorithm Ek is used that prevents chosen-text attacks). 
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Regarding claim 12, Menezes discloses the method wherein the first function is a public function 
for signature generation with the aid of a private key (pp 404 sec. (ii) lines 11; SA). 

Regarding claim 13, Menezes discloses the method wherein the second function is a public 
function for signature verification with the aid of a public key corresponding to the private key 
used by the first function (pp 404 sec. (ii)-pp 405 lines 18; SA is signature algorithm for 
verification with the aid of public key-private key). 

1 1 . Claims 4, 6, 9 and 1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Menezes "Handbook of applied cryptography" in view of Haumont USPN 67631 12 Bl. and 
further in view of Teper et al. USPN 5815665. 

Regarding claim 4, the combination of Menezes and Haumont discloses all the subject 
matter as discloses above. The combination is silent in details of inhibiting access to said data if 
the response received in the step (d) is not correct or if no response is received after the expiry of 
a predetermined time starting from the transmission of the random number. 

However Teper et al. teaches a method for a user to connect to a service provider (SP) 
site and attempt to access an online service and the SP initiating a challenge-response 
authentication that allows an online brokering service to authenticate the user for the SP site, SP 
sending challenge message to the user's computer over the distributed network/Internet, user 
generating and returning response message that is based on the challenge message received and 
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user's identifier/password and the response is authenticated for requested access and providing or 
denying access based on authentication result (see col. 9 lines 50-col. 10 lines 65 and col. 3 lines 
5-44) that reads on a method wherein the receiver inhibits access to said data if the response 
received in the step (c) is not correct. 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to combine the teachings of Teper et al. within the combination system 
because they are analogous in challenge response authentication. One would have been 
motivated to combine the teachings to securely provide access to authorized and authenticated 
user. 

Regarding claim 6, the combination discloses the method in which the transmitter also 
receives in the step (b) said identifier associated with the data received by the receiver (see 
Menezes pp 401 sec. 10.16 lines 7-page 402 lines 8; receiving rA and rB at B and A that are 
based on A 's and B 's identity) and checking/authenticating A's and B's identifier in using 
challenge response message is also described see Menezes sec. 10.16 on page 401-402. 

The combination is silent in wherein said in which the steps (c) and (d) are not carried out 
unless said identifier received in the step (b) corresponds to the identifier associated with the data 
that the transmitter has just sent. 

However Teper et al. discloses a SP asking an online broker to authenticate a user by 
sending an encrypted pass-through message that includes user's response message, that is based 
on challenge response, and that includes the user's unique ID and the online broker looks up 
database for user's password based on the user's unique ID and determines whether the received 
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response message corresponds to the user's password and the received challenge, generating 
correct response from the password and the received challenge message using same function 
used by the user computer and compare/authenticate the response message (see col. 10 lines 44- 
65 and col. 9 lines 50-67) that reads on in which the steps (b) and (c) are not carried out unless 
said identifier received in the step (a) corresponds to the identifier associated with the data that 
the transmitter has just sent. 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teaching of Teper et al. within the combination system 
because they are analogous in challenge response authentication. One would have been 
motivated to do so to generate correct response and/or if the identifier does not match the 
receiver never generates same and authentic response as received response. 

Regarding claim 9, the combination of Menezes and Haumont discloses authenticating 
and verifying data using challenge-response by applying to said random number and to said 
identifier the first function with the secret key (see Menezes pp 401 sec. 10.16). The combination 
is silent in giving details about the method wherein the second function is a boolean function and 
further comprising: computing an expected response and comparing the expected response with 
the response received in order to deliver: a "0" value if the expected and received responses are 
different and a " 1 " value if the expected and received responses are equal. 

However Teper et al. discloses the method wherein the second function is a boolean 
function (see fig. 6 and col. 17 lines col. 18 lines 38) 

computing an expected response (fig. 6 element 102) and 
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comparing the expected response with the response received in order to deliver (fig. 6 
element 104): 

a "0" value if the expected and received responses are different (fig. 6 element 106; 
returning "No") and 

a "1" value if the expected and received responses are equal (fig. 6 elements 108-1 14; 

"yes"). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings of Teper et al. within the combination system 
because they are analogous in generating a challenge response message and comparing the 
generated response with received for valid authentication. One would have been motivated to 
incorporate to grant/deny access based on the verification result. 

Regarding claim 1 1 , the combination discloses authenticating and verifying data using 
challenge-response by applying the first function to said random number and to said identifier 
(see Menezes pp 401 sec. 10.16). The combination is silent in giving details about the method 
wherein the second function is a boolean function and further comprising: computing an 
expected response and comparing the expected response with the response received in order to 
deliver: a "0" value if the expected and received responses are different and a "1" value if the 
expected and received responses are equal. 

However Teper et al. discloses the method wherein the second function is a boolean 
function (see fig. 6 and col. 17 lines col. 18 lines 38) 

computing an expected response (fig. 6 element 102) and 
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comparing the expected response with the response received in order to deliver (fig. 6 
element 104): 

a "0" value if the expected and received responses are different (fig. 6 element 106; 
returning "No") and 

a "1" value if the expected and received responses are equal (fig. 6 elements 108-1 14; 

"yes"). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings of Teper et al. within the combination system 
because they are analogous in generating a response message and comparing the generated 
response with received for valid authentication. One would have been motivated to incorporate 
to grant/deny access based on the verification result. 

Conclusion 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to ELENI A. SHIFERAW whose telephone number is (571)272- 
3867. The examiner can normally be reached on Mon-Fri 8:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser R. Moazzami can be reached on (571) 272-4195. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Eleni A Shiferaw/ 
Examiner, Art Unit 2436 



